RazorHost _UserList sample exposes on a Portal all user's names and emails on Host
Standard RazorHost sample script _UserList returns all of the users on a DNN installation. In a situation where the site is hosting many customers as portals, this exposes the complete list of customers (users) names and email addresses if the individual portal is allowed to use the RazorHost module (default).
I tested this on a free hosting service, was able to create a bogus free portal and gain access to the complete list of users (actually got tired of waiting for all 62 thousand users to be returned ).
The attached revised script would only list out the users of the single portal, leaving responsibility of protecting the user information with that portal admin.
QA Test Plan
Re-verified Platform/Content 7.3.4 build 45
The UserList sample script only returns users for a single portal where it is run
Verified script fix
7.3.3 build 93 platform/content clean installation and upgrade scenarios